Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

How JSF 2.0 prevents CSRF

Tags:

security

jsf

csrf-protection

I am researching stuff I hear regularly that when doing a webapp in JSF 2.0 you are already protected from crossite - scripting and - request forgery. The following excerpt from a SO post confirms this:

In JSF 2.0 this has been improved by using a long and strong autogenerated value instead of a rather predictable sequence value and thus making it a robust CSRF prevention.

Can someone provide some more detail on this? How does this autogenerated value prevent CSRF? Thanks!

like image 537
Leanne Avatar asked Jan 02 '12 19:01

Leanne

People also ask

Is SameSite enough to prevent CSRF?

For the reasons described, it is not recommended to rely solely on SameSite cookies as a defense against CSRF attacks. Used in conjunction with CSRF tokens, however, SameSite cookies can provide an additional layer of defense that might mitigate any defects in the token-based defenses.

How are CSRF attacks prevented?

Preventing CSRF attacks The most robust way to defend against CSRF attacks is to include a CSRF token within relevant requests. The token should be: Unpredictable with high entropy, as for session tokens in general. Tied to the user's session.

How does CSRF token prevent CSRF?

CSRF tokens can prevent CSRF attacks by making it impossible for an attacker to construct a fully valid HTTP request suitable for feeding to a victim user.

How does CSRF prevent XSS?

Can CSRF tokens prevent XSS attacks? If the server properly validates the token, and rejects requests without a valid CSRF token, the token will prevent exploitation of the XSS vulnerability. The reflected form of XSS involves a cross-site request.

1 Answers

How does this autogenerated value prevent CSRF ?

Because it cannot be guessed. So the attacker cannot hardcode it in a hidden field in a form of the attack website (unless the target site has a XSS hole and thus the value can simply be obtained directly by XSS means). If the value is not valid for JSF, then the form submit from the attack website will simply not be processed but instead generate a ViewExpiredException. Please note that the attacker would still need to get the session ID so that it can be passed back through jsessionid URL attribute, so the originally "weak" CSRF protection would still require some XSS hole to obtain the session ID.

After all, I have the impression that you do not understand at all what CSRF is; the answer is rather self-explaining if you understand what CSRF is. In that case, please check the following question: Am I under risk of CSRF attacks in a POST form that doesn't require the user to be logged in?

like image 50
BalusC Avatar answered Nov 16 '22 03:11

BalusC
Sign in to Comment

Related questions

Authorization Asp.net web.config
Would you use one or two tables for username and password?
Correct and secure manner of storing in-app-purchases
Common vulnerabilities for WinForms applications
How secure is proguard against reverse engineering?
Is someone trying to Hack? Receiving Suspicious Requests on my Apache2 Ubuntu 18.04 server
Is PHP exec safe?
Techniques to reduce data harvesting from AJAX/JSON services
The U.S. State Department says AES and DES are unsafe, so what should we use?
What length password equals 256bits of entropy
Custom url for django admin
Should <protected-views> be used for JSF 2.2 CSRF protection?
Unique key generation
Coding for high reliability/availability/security - what standards do I read?
How to synchronize lifetime of forms authentication cookie and Asp.Net Session?
An algorithm for distributed or decentralised reputation/trust
What security considerations / concerns should be addressed when using CDN hosted code?
What's the best way to store sensitive data in MySQL?
HTML5 Multiplayer Game Security Solutions
Is HttpOnly necessary when SSL is already set?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!